Home » Clients » Mobile Devices » Outlook for iOS/Android Still Able to Connect After Disabling ActiveSync

Outlook for iOS/Android Still Able to Connect After Disabling ActiveSync

When an Exchange Online mailbox has the ActiveSync protocol disabled, you may find that the Outlook app for iOS and Android mobile devices is still able to connect to the mailbox to send and receive emails.

The reason for this is the architecture of the Outlook app and the infrastructure it connects to. From TechNet:

Outlook for iOS and Android uses a stateless protocol translator component that is built and run in Azure. This component routes data and translates commands, but it doesn't cache user data. The app is coded with the Outlook device API, a proprietary API that syncs commands and data to and from the app. Exchange Online data is accessed via the publicly available REST APIs. The protocol translator enables communication between Outlook and Exchange Online.

Image via TechNet

Even when ActiveSync is disabled the REST API is still accessible by Outlook. To block access to the REST API we need to use a different method. There are a few approaches that we can use:

  • A device access rule to block Outlook for iOS and Android. This is an organization-wide block and requires you to manually approve Outlook app usage on a per-user basis for anyone who still needs to use it, so it may not be a practical approach if you're just trying to block one user from having any mobile email access.
  • A client access rule to block REST API access. Client access rules can be targeted at specific users but managing the target list over time could be cumbersome. This approach also blocks all REST API access for the targeted users, not just the Outlook app.
  • Block the Outlook app using an EWS block list. This is the approach I'll demonstrate here.

As I've previously written here, EWS policies can be used to block or allow specific applications on a per-user or per-organization basis. If you want to block Outlook app usage for the entire organization then you would use an organization-level EWS block list. Since this example scenario is for a user who has had the ActiveSync protocol disabled I will stick to the per-user option. As a side note, if your Office 365 tenant has any “K” (kiosk) licenses then the organization-level EWS controls will not work, and you'll need to use per-user EWS controls.

First, let's take a look at the mobile device association that shows Outlook connecting to the REST API.

Next, let's look at the EWS configuration for the mailbox.

To block EWS access for the Outlook app we need to block the user agent. The iOS version of Outlook currently has a user agent of “Outlook-iOS/2.0” (shown above), and the Android version uses “Outlook-Android/2.0”. Earlier versions had a user agent of “Outlook-iOS-Android/1.0” for both platforms, so we can expect the user agent to change in future as the version number increments. As such, it's best to use a wildcard in the EWS block list. The example below will block the original user agent, the current user agents for both platforms, and any future user agent strings that follow the same pattern.

Another look at the EWS configuration for the mailbox shows the two user agents have been added to the block list, and the EwsApplicationAccessPolicy option is now set to EnforceBlockList.

This change doesn't take effect immediately. In my demo environment it took about 30 minutes before the Outlook app on my iPad stopped retrieving new emails. The access token life is 1 hour by default though, so you should expect it to take at least that long.

To reverse the block, remove the two user agents from the block list, and if there's no more block list entries you can also null the EwsApplicationAccessPolicy.

As one last point to keep in mind, the DeviceAccessState for the mobile device association won't change from Allowed to Blocked when you use an EWS block list.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Mobile Devices


  1. Aravind says:

    Hi Paul,

    Will this outlook for Android app issue is included for On-premises Exchange 2013 as well.

    Could you please clarify.

    Thanks in Advance


  2. Jonathan says:

    For federated accounts what are your thoughts on a fourth option, namely applying ADFS claims rules to block access to the legacy protocols?

  3. Rocmail520 says:

    Thanks for the valuable information Paul but I have few things to clear:
    1st: why OL app is forcing to use MS Authenticator app
    2nd: not able to setup account on updated version which was released a week ago.
    3rd: how can I verify If rest API is blocked or allowed ?
    4th: what role does EAS play for this app

    Thanks in advance.

    • For #1, if you’re using Exchange Online then it’s possible there is an Intune or conditional access policy being applied to your access.

      #2 – no idea, but could be related to #1

      #3 – REST API is accessed via EWS. In the article above I demonstrate EWS block lists, and also mention client access rules that can be used to restrict EWS access in Exchange Online (search for TechNet article on that topic)

      #4 – EAS is not used by the Outlook app to connect to Exchange Online mailboxes. It is used for on-premises mailboxes though.

Leave a Reply

Your email address will not be published. Required fields are marked *